Neehr Perfect EHR Activity – Introduction to Privacy, Security and Confidentiality Overview This activity is intended for the Intermediate and Advanced EHR student user. In this activity you will be introduced to the basic aspects related to privacy, security and confidentiality for both the consumer and the healthcare worker. Student Instructions Access the EHR and follow the steps outlined in the activity below. Students will need to use their portfolios (the chart with your name on it) to post their answers. Log into the EHR and go to the notes sections, select "new note" from the left side panel. In the progress note selection box, type "Untemplated” select the "Untemplated nurse progress note" Select your faculty as the co-signer. Type or cut and paste your answers into the note and select save to submit your work. Prerequisites 1. Completion of Scavenger Hunts I and II 2. Optional - Scavenger Hunt III Applying Meaningful Use 3. Completion of the Neehr Perfect EHR documentation activity for Health Information Terminology Objectives 1. Identify the difference between privacy, confidentiality and security. 2. Understand the details of the HIPPA security rule. 3. Recognize role-based security. Terminology Privacy: the right patients have to control who can store, retrieve, and share their health information. Confidentiality: the practices a provider employs to protect the patient’s privacy rights, such as permitting only certain authorized individuals to access a patient’s record. Security: specific safeguards or controls that are put in place to ensure the confidentiality of patient data. For example, security would include a technical safeguard that requires all individuals in the healthcare setting to log into a system using a unique account using credentials that are not shared with others, thus providing a mechanism to enforce confidentiality of the information. 1 Neehr Perfect EHR Activity-Introduction to Privacy, Security and Confidentiality v2 Archetype Innovations LLC ©2013 Details of the HIPAA Security Rule in regards to implementing HIT systems. The HIPAA Security Rule groups its security standards into three categories— administrative safeguards, physical safeguards, and technical safeguards. Administrative safeguards: the administrative functions that should be implemented to ensure that security standards are met. These standards include designating responsibility for security management, adoption of policies and procedures, and privacy and security training for an organization’s staff. Physical safeguards: the controls put in place to protect electronic systems and hardware and the data stored there, from threats such as natural disasters and unauthorized intrusion. These safeguards may include locks on doors, special rooms, and back-ups to ensure that the data can be retrieved. Technical safeguards: the automated controls used to protect electronic data and to control access. Examples include using authentication controls to ensure the identity of a person accessing a Health IT system containing electronic PHI, as well as encryption standards for data stored in HIT systems and transferred between them. Role-Based Safety & Security Overview When we think of safety and security in the EHR, we often think first of alerts and pop-ups. EHRs do indeed use the concept of the alert or pop-up message to notify users of potential risks, but these types of security are only secondary measures to encourage safe and mindful healthcare practice. Primary safety measures are built into the very structure of the EHR and are often invisible to the individual user. Primary safety measures, or “user-based security,” can help prevent a healthcare professional from potentially dangerous situations or inappropriate actions and therefore, can help prevent safety alerts and pop-ups from being triggered. This activity will introduce you to a number of the safety structures built into the EHR and provide you with hands-on experience with a few of them. Because much of the safety mechanisms in the EHR are controlled by user class, role and privilege level, you will need to log into the EHR as different users to be able to see the underlying safety structures at work. Role-Based Security Elements User Class: Classifying an individual user by professional scope of practice; i.e. Nurse, Doctor, Medical Assistant, etc. Based on the user class determines the user’s privileges, or want they can access in the EHR. 2 Neehr Perfect EHR Activity-Introduction to Privacy, Security and Confidentiality v2 Archetype Innovations LLC ©2013 Menu Options: Controls where you go and what you have access to. CPRS is actually a menu option. eMAR is a menu option. Users can be granted menu options to increase access. Security Keys: Controls what a user can and cannot do in any area of the EHR. e.g. CPRS Med Button to order crash cart meds in the BCMA. In order to have the CPRS Med Button, a user must first be in the Nurse User Class AND have the BCMA Menu Option, only then can they be granted the CPRS Med Button Security Key. Activity Log in to the Neehr Perfect website at neehrperfect.com. 1. Make note of any security features (or safeguards) you see on the login screen. _________________________________________________________________ 3 Neehr Perfect EHR Activity-Introduction to Privacy, Security and Confidentiality v2 Archetype Innovations LLC ©2013 Select the EHR icon and log in to the EHR. But when you log in to the EHR purposefully type the wrong username and password. Note: Your screen may look different than what is shown in the screen shots. 2. What type of error message or pop-up message do you get? _________________________________________________________________ 3. Make note of any security features you see on the login screen. _________________________________________________________________ 4 Neehr Perfect EHR Activity-Introduction to Privacy, Security and Confidentiality v2 Archetype Innovations LLC ©2013 The second time you log in to the EHR use your correct access code and verify code. 4. Suppose this is the first time that you have logged into the system. What additional safeguards could be put into place to improve the security of the login function? ________________________________________________________________ 5 Neehr Perfect EHR Activity-Introduction to Privacy, Security and Confidentiality v2 Archetype Innovations LLC ©2013 After logging in, begin typing the word “Smith” in the search box. 5. What patients are showing in your list with the last name of “Smith”. __________________________________________________________________ Using the following one-time credentials you will log in to the EHR as a provider. Close out of the EHR by clicking on File > Exit. Back at the EHR icon screen click on the EHR icon and use these codes: Access Code: doctor01 Verify Code: password.2 After logging in, begin typing the word “Smith” in the search box, just as you did before. 6. What patients are showing in your list with the last name of “Smith”. _________________________________________________________________ 6 Neehr Perfect EHR Activity-Introduction to Privacy, Security and Confidentiality v2 Archetype Innovations LLC ©2013 7. What would account for the discrepancy in the patient list for each of these users? __________________________________________________________________ __________________________________________________________________ Security and Confidentiality The idle warning will pop up on the screen after 30 minutes of complete inactivity in the EHR. Once the idle warning appears, you have 45 seconds to press the button and continue working. After 30 more minutes of complete inactivity, the idle window will pop up again. A ‘timeout’ ensures that a record can be accessed by others who might need it if someone has opened the record, but is not using it. On the other hand it also ensures that if the medical record is left open on a computer and then left, that it will automatically close after a specified amount of time to ensure confidentiality. 8. Describe a situation where the CPRS Timeout may appear? __________________________________________________________________ __________________________________________________________________ __________________________________________________________________ 9. Explain why this automatic ‘timeout’ feature is important in regards to security and confidentiality of a patient personal medical record? __________________________________________________________________ __________________________________________________________________ __________________________________________________________________ 7 Neehr Perfect EHR Activity-Introduction to Privacy, Security and Confidentiality v2 Archetype Innovations LLC ©2013 References The Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information. c2008. Available from: http://healthit.hhs.gov/portal/server.pt/gateway/PTARGS_0_10731_848088_0_0_18/N ationwidePS_Framework-5.pdf Adapted from and modified for use with Neehr Perfect EHR: Health IT Workforce Curriculum Working with Health IT Systems Version 3.0/Spring 2012 Protecting Privacy, Security, and Confidentiality in HIT Systems This material was developed by Johns Hopkins University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number IU24OC000013. 8 Neehr Perfect EHR Activity-Introduction to Privacy, Security and Confidentiality v2 Archetype Innovations LLC ©2013